cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Question on email alerts

About a month ago I got our email alerts working.  I'm now seeing some below alerts appear.  I was wondering if the information field is self explanatory on why the alert is appearing?

IE freespace override = ran out of space and purged logs?

Is there a document or something that would explain what these alerts mean?

For a complete listing of the events that triggered this alarm please execute the following command (All on one line):

___BEGIN_CMD___

acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160318040233 and etime 20160318040233" /var/log/audit.raw ___END_CMD___

Note: Due to rounding error and network traffic patterns, the above command

      may produce more events than were included in this alarm.

The following are the last 1 events seen:

2016-03-18 04:02:33 -0500 f_kernel a_tepm t_attack p_major

pid: 1578 logid: 0 cmd: 'sfagent'

hostname: XXXX category: policy_violation

event: dom violation srcdmn: SFag

reason: OP: OP_SYS_FS_MGMT wanted perm: 0x80<rootness> granted perm: 0x0

information: ffs_alloc(): freespace override

___BEGIN_CMD___

acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160317214806 and etime 20160317214806" /var/log/audit.raw ___END_CMD___

Note: Due to rounding error and network traffic patterns, the above command

      may produce more events than were included in this alarm.

The following are the last 1 events seen:

2016-03-17 21:48:06 -0500 f_kernel a_tepm t_attack p_major

pid: 15321 logid: 108 cmd: 'vscanupdate'

hostname: XXXX category: policy_violation

event: ddt violation srcdmn: SCDU filedom: Kern filetype: diry

reason: OP: OP_FS_WRITE perm wanted: 0x2<write> perm granted: 0x1<read>

information: dumpcore: vscanupdate.core

For a complete listing of the events that triggered this alarm please execute the following command (All on one line):

___BEGIN_CMD___

acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160307152455 and etime 20160307152455" /var/log/audit.raw ___END_CMD___

Note: Due to rounding error and network traffic patterns, the above command

      may produce more events than were included in this alarm.

The following are the last 1 events seen:

2016-03-07 15:24:55 -0600 f_kernel a_tepm t_attack p_major

pid: 1778 logid: 105 cmd: 'tcsh'

hostname: XXXX category: policy_violation

event: dit violation srcdmn: User tgtdmn: Audt

reason: OP: OP_PROC_TRAN perm wanted: 0x1<trans> perm granted: 0x0

information: Exec /usr/bin/acat

For a complete listing of the events that triggered this alarm please execute the following command (All on one line):

___BEGIN_CMD___

acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160217084609 and etime 20160217084609" /var/log/audit.raw ___END_CMD___

Note: Due to rounding error and network traffic patterns, the above command

      may produce more events than were included in this alarm.

The following are the last 1 events seen:

2016-02-17 08:46:09 -0600 f_kernel a_tepm t_attack p_major

pid: 3771 logid: 108 cmd: 'tcsh'

hostname: XXXX category: policy_violation

event: ddt violation srcdmn: User filedom: mtac filetype: scrp

reason: OP: OP_FS_EXEC perm wanted: 0x2000<exec> perm granted: 0x9<read,execute>

information: Exec /usr/bin/mailq

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community